I would bet that neither you, nor anyone else you know, has ever been actually hacked. I know many who were socially engineered though…
Note from Matt: As someone who has had his info socially engineered in the past, I can really feel for Mat’s situation. This article is in no way a knock on him, but I feel his situation presents an event that pushes this issue into the light.
Yesterday a read an article by Mat Honan of Wired. It documents in detail how his Apple, Google, Twitter, and Amazon accounts were recently compromised. His Apple devices were remotely wiped, his personal data was lost, and his entire digital livelihood was shaken at its foundations.
According to Mr. Honan, he was “hacked”.
You have probably never been, and probably never will be, “hacked”
I hear this word tossed around all over the web these days. Did someone take over your Facebook account? You must have been hacked! Did you start receiving loads of spam email out of the blue? Hackers must have dunnit! Someone gained access to your Xbox Live account and started spending your money? Those hackers are ruthless! I understand what Mat Honan went through on a smaller scale, as my Xbox Live account was taken over by someone many years ago when I ran a popular Halo web comic called Halo Babies. Unlike Mr. Honan’s unfortunate story, this person gained access to my popular Xbox Live account to phish info from other users and to buy content using my credit card.
How did this person gain access to my account? The fault was as much mine as it was his. On my part, I provided far too much information on the web than I realized. The WHOIS for my website listed my current address and phone number (something I didn’t even realize was public before this all went down), and my email address and other personal information was available in my forum profile on HaloBabies.net. The phisher took this information, and after around eight calls to Xbox support, gained access to my information through tech support agents providing him with little bits of my personal info.
So what exactly is phishing? Wikipedia has a great definition: “Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.” What happened to Mat was not technically phishing, as I will explain below. Hacking is defined by wikipedia as a ”means of finding out weaknesses in a computer or computer network…” Many other definitions are similar, with Dictionary.com calling it an action “to break into (a server, Web site,etc.) from a remote location to steal or damage data”.
What happened to Mat and myself was far from hacking, but it also was technically not phishing either.
Remember when Sony’s account servers were broken into, and thousands of username, passwords, and credit card numbers were stolen? That was hacking. Someone had to exploit a backdoor or other vulnerability in Sony’s firewalls, server security, and more. They then physically access the data and copied it to their computer to use for their own end. Sony was hacked. When someone calls tech support pretending to be you, they aren’t “hacking” anything. They are socially engineering your data and identity to fool a larger company or service provider into thinking they are you.
Consequently, the person who performs these fraudulent actions is not a hacker, but rather a social engineer. There are all kinds of types of social engineers, from those who use real phishing scams over email and chat, to others who use similar tactics over the phone. Sure, many of these people might actually be skilled at hacking as well, but hacking and social engineering are two different fields, skills, etc.
Phishing is the act of pretending to be a larger company to take advantage of its users. Fake emails to “reset” a user password or offering special content and deals if the user signs in at a specific site are not uncommon in phishing scams. These are people who pretend to be a large company to trick the individual user. However, in both mine and Mat’s stories, we were preyed on by someone who pretended to be the individual user in order to trick the large company. This is much closer to reverse-phishing, or rather, social engineering.
I’ll admit, saying “my Facebook got socially engineered!” doesn’t exactly roll off the tongue, but it’s the truth. Perhaps saying your account was reverse-phished or “engineered” sounds better. Either way, we need to call this stuff what it is, and hacking it is not.
Why do I care?
We live in a society that does everything it can to avoid taking responsibility for its actions. Spill hot coffee on yourself? Why not sue McDonald’s? Too lazy to turn down the volume on your iPod yourself? Sue Apple! Hacking is generally not something that the standard end-user can avoid. Sure you can install consumer firewalls on your PC, but a skilled hacker will know a dozen ways to compromise them. All that said, let’s stop kidding ourselves. Who would ever actually want to hack your computer? Unless you’re storing high-level corporate secrets on your un-encrypted hard drive, I bet the answer is no one.
However, becoming a victim of social engineering is something you can avoid. I was at fault when my Xbox Live account was stolen, and Mat Honan was at fault when his various accounts were taken from him. Mr. Honan may have used the wrong terms when referring to the tragedy the happened to him, but he does not shirk any responsibility. He is very clear that had he been more careful about what information he shared online, the issue could have been avoided.
When I hear someone say “OMG my Facebook account got hacked,” it’s always with the attitude that they did nothing wrong, and that some random stranger just decided to torment them for some reason. There is no responsibility taken by the user at all, and they live in mystery as to why someone would “hack into Facebook” to steal their data. It is a form of shedding any responsibility for something that could have easily been avoided, and that bugs me.
It’s a long shot, but perhaps if we start using proper terminology to describe these identity attacks people will feel a more urgent need to double-check the information they share publicly. From my discussions with internet users, both novice and experienced, there is a common theme of feeling completely helpless from “hackers who are out there roaming the web for victims.” Almost no one I have spoken to has said anything about steps they can take to secure their own information. If we present realistic dangers in realistic terms for average users, instead of using terms that have been twisted and over-glorified over the years, maybe some light bulbs will go off. If we keeping telling everyone they’re getting “hacked” at every turn, people will continue to feel helpless, and the scum of the internet who facilitate social engineering and phishing scams will keep prevailing. If there’s no way to fight them, why bother?
Hackers are a tough enemy, and very difficult to stop without advanced technical skills and software. However, social engineers are generally no different from you or me, with a bit of extra insight into how various social sites and companies work. Is it too much to ask that we stop glorifying these people as “hackers”? The title connotes an undue sense of accomplishment to these people despite most of them having very little experience actually hacking anything. The less sexy it is to be a social engineer, the less kids will strive to be one, and the less scary their tactics will seem to average users.
At least that’s the hope.